General

  • Target

    c83fa0fe8fcce8c22dc31440b883ee13badb2438f6a35ddd56a7b8c7e03c335c.vbs

  • Size

    33KB

  • Sample

    240917-byz2aayhkc

  • MD5

    59a24e918603e8e13baece1f49ccb169

  • SHA1

    84e045dcf3e4c49445abe4e61af4795e8091d5de

  • SHA256

    c83fa0fe8fcce8c22dc31440b883ee13badb2438f6a35ddd56a7b8c7e03c335c

  • SHA512

    85561f9127d28e46ccb0a7329892cece142e817f77dbe77e1d2583ba4b29bf234c8334fe5596e30fe08d3edb1d615cbc9c8da8790f037c065664f0c29dd68c86

  • SSDEEP

    384:ljD6h5upiUy+I4B8Gyh6r4x8yGNy0wVS2fwspQsFXkInOEZfDBEwA0QmKCp:45uhyt4Xyh6r4x8ygGnusS3EZrp4ep

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:
    ftp
  • Host:
    ftp://ftp.antoniomayol.com:21
  • Port:
    21
  • Username:
    [email protected]
  • Password:
    cMhKDQUk1{;%

Targets

    • Target

      c83fa0fe8fcce8c22dc31440b883ee13badb2438f6a35ddd56a7b8c7e03c335c.vbs

    • Size

      33KB

    • MD5

      59a24e918603e8e13baece1f49ccb169

    • SHA1

      84e045dcf3e4c49445abe4e61af4795e8091d5de

    • SHA256

      c83fa0fe8fcce8c22dc31440b883ee13badb2438f6a35ddd56a7b8c7e03c335c

    • SHA512

      85561f9127d28e46ccb0a7329892cece142e817f77dbe77e1d2583ba4b29bf234c8334fe5596e30fe08d3edb1d615cbc9c8da8790f037c065664f0c29dd68c86

    • SSDEEP

      384:ljD6h5upiUy+I4B8Gyh6r4x8yGNy0wVS2fwspQsFXkInOEZfDBEwA0QmKCp:45uhyt4Xyh6r4x8ygGnusS3EZrp4ep

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • Credentials from Password Stores: Credentials from Web Browsers

      Malicious Access or copy of Web Browser Credential store.

    • Downloads MZ/PE file

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks